Guest user Created: Oct 23, 2018 Last commented: Oct 23, 2018

Developing documents

I was wondering if it’s necessary to write a document policies for the one who’s not applicable to our organisation. By example, we don’t accept employees to bring there own device at work, do we need to write the Bring your own device policy?

0 0

Assign topic to the user

Select user

Expert

Rhand Leal Oct 23, 2018

Answer:

You only have to develop polices and implement controls in these situations:
- There is unacceptable risks that can be treated by the control/policy
- There are legal requirements (e.g., laws, contracts, or regulations) demanding the implementation of the control/policy
- Top management has decided to implement the control/policy (normally by considering it a good practice or because the organization will have a competitive advantage with its adoption)

If none of these reasons occurs, you do not need to develop the policy / implement the control

These articles will provide you further explanation about developing policies and implementing controls:
- The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27 001-how-does-information-security-work/
- 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Oct 23, 2018

Expert Advice Community